CVE-2026-34230: Rack has quadratic complexity in Rack::Utils.select_best_encoding via wildcard Accept-Encoding header

April 2, 2026 (updated April 24, 2026)

Rack::Utils.select_best_encoding processes Accept-Encoding values with quadratic time complexity when the header contains many wildcard (*) entries. Because this method is used by Rack::Deflater to choose a response encoding, an unauthenticated attacker can send a single request with a crafted Accept-Encoding header and cause disproportionate CPU consumption on the compression middleware path.

This results in a denial of service condition for applications using Rack::Deflater.

References

github.com/advisories/GHSA-v569-hp3g-36wr
github.com/rack/rack
github.com/rack/rack/security/advisories/GHSA-v569-hp3g-36wr
nvd.nist.gov/vuln/detail/CVE-2026-34230

Code Behaviors & Features

Detect and mitigate CVE-2026-34230 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →